Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

PCI DSS responses

From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Thu, 11 Jun 2009 13:57:50 -0700
Hi Everyone,

 Thanks for all the responses on and off list.

 For the last several years, our general stand on the DSS has been that adhering to it would be very costly and 
generally impractical, thus outsourcing combined with analog has been our method of choice. In that light, it was very 
informative to get so many responses from what institutions have been doing recently.

 Generally, we heard from institutions that:
   (a) never seriously considered adhering to the DSS due to perceived issues
   (b) did an in-depth analysis and avoided DSS due to cost
   (c) believe they are currently following the DSS

 We haven't yet heard back additional details from some of the institutions who are following DSS. It would be 
interesting to get an idea for how all 40 pages of compliance requirements are being managed, and at what cost. This 
has to be the most challenging aspect of the DSS: unlike so many laws, "best effort" and "due diligence" simply aren't 
enough. It seems like an impressive feat to achieve such a compliance expectation in higher education.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873
Previous By Date Next
Previous By Thread Next

Current thread: